Replacing Carbon Black with Falcon

mwestaph
New Contributor

Hello,

First time, long time.

My organization has decided to move away from Carbon Black in favor of Falcon. I used CrowdStrike's directions and successfully created a config profile and a policy. Both have been tested and are working. My predecessor had created a policy to remove Carbon Black and it works as expected.

My question - What is the best way to go about deploying this? My idea is to scope the config profile to every machine, create a smart group that identifies endpoints with the Falcon config profile installed, and uninstall Carbon Black. Then create another smart group that identifies endpoints with the Falcon config profile installed that do not have Carbon Black installed and scope the Falcon installation policy to the group. Once all endpoints have received the Falcon package, I will remove the old Carbon Black config profile.

Is this the best way to do this or is there another method that you'd recommend?

Thanks in advanced!

2 REPLIES 2

sdagley
Esteemed Contributor II

@mwestaph The method you describe should work but you're going to go through at least a couple of checkin cycles for since your Falcon install policy won't be triggered until the checkin after your CB removal policy completes and updates inventory. My approach when we replaced McAfee with CrowdStrike was to have a policy which just ran a script which triggered the policy to remove McAfee, if that policy reported success the script then triggered the policy to install Falcon.

And obligatory PSA for anyone deploying CrowdStrike, if you haven't seen @franton 's https://richard-purves.com/2022/05/03/downloading-crowdstrike-via-api-for-fun-and-profit/ blog post on a scripted install of Falcon you really should take a look.

AJPinto
Honored Contributor III

Should work fine. I prefer to deploy Configuration Profiles a few weeks before a new client is installed. Then remove Configuration Profiles a few weeks after the old client is removed.  This helps reduce any conflicts by having clients installed without Configuration Profiles. There is no harm in configuration profiles being installed for clients that are not currently installed.

 

I would deploy Falcon to all devices, even if they don't have the Configuration Profiles as it's a security tool. If its installed and not configured correctly (i.e. missing Configuration Profiles) it should report an error in the console which would draw attention to the device.